A Deeper Dive into the Application Security and Continuous Testing Integration

Integrating Security and Testing

The integration of Digital.ai Application Security with our automated testing solution, Continuous Testing, provides customers with the ability to perform automatic performance, functionality, and accessibility testing on secure (hardened) applications. This document explains the benefits of this integration and explains how the integration avoids introducing new threat vectors.

The Challenge: Testing Hardened Apps

Before this integration it was impossible to put hardened apps – whether they were hardened by Digital.ai or by a competing app hardening product — into any test
harnesses or debugger regardless of what type of testing solution was used. That meant that prior to this integration, companies had two options to test their applications:

1. ) Test an “clone” of the secured app that does not have protections or
2. ) Perform only a subset of manual tests on secured apps.

The end result of the lack of integration was, in case #1, occasional accidental release of unprotected apps or, in case #2, costly and slow testing procedures that were not comprehensive. In other words, either poor quality or less secure apps were being released into the wild.

Benefits of the Integration

The integration allows for automatic testing of hardened apps. Providing for this capability has multiple benefits:

1. ) High Quality and Security: It ensures that only fully tested and protected apps are released, maintaining high standards of quality and security
2. ) Cost Efficiency: It reduces the reliance on costly and time-consuming manual testing, allowing for more comprehensive and automated testing processes

How the Integration Works

To enable seamless testing in the Continuous Testing environment, we have made specific optimizations to DAI AppSec, without altering Continuous Testing itself. These optimizations allow DAI AppSec to recognize Continuous Testing as a non-dangerous environment, preventing the app from taking evasive actions that would normally be triggered in environments and would otherwise prevent the protected app from being fully tested in any other test environment.

Optimizations and Safeguards

We have made optimizations to a handful of the dozens of guards available to our customers. The guards we have optimized have been enhanced to recognize the Continuous Testing environment. In order to illustrate the “how”, we’ll discuss one of the guards we’ve changed: the Signature Verification guard.

Here’s how the Signature verification guard works: Typically, any environment that instruments an app for testing must re-sign the app, which would trigger the signature verification guard and prevent the app from running. This same mechanism ensures that any unauthorized re-signing by a threat actor would be detected, and the app would refuse to run, thwarting dynamic analysis attempts. In order to allow hardened apps to be automatically tested, we’ve enhanced the Signature Verification Guard to recognize when it is in the Continuous Testing environment and to not fire under that condition.

Importantly, there is no visible flag within the app that indicates whether the Continuous Testing integration flag has been activated. This means a threat actor has no indication of whether mimicking the Continuous Testing environment would bypass security measures. Furthermore, even if the threat actor were to somehow discover that an app had taken advantage of the optimization to the Signature Verification guard, they would have to then set up a test environment that mimics the Continuous Testing environment. This set up is a complex and costly endeavor, as Continuous Testing is a proprietary SaaS product and Digital.ai only sells to verified legitimate customers.

Complexity and Interconnected Guards

Even if both of the above conditions were sometimes met, the threat actor would encounter another, even more difficult challenge: a network of interconnected guards, much like a complex web. Even if one strand of this web (a specific guard) were to be discovered and then weakened or bypassed, the overall structure of the remains robust. In other words, in order to take advantage of the hypothetical new threat vector introduced by the optimization of the Signature Verification guard (itself a highly unlikely feat) a threat actor would still need to navigate multiple layers of protection, each working in tandem, to crack the application.

Communication and Transparency

Hopefully this example explains just how difficult it would be for a threat actor to somehow “exploit” the change we’ve made to the Digital.ai Application Security product. There are additional steps we’ve taken to protect apps that are tested in Continuous Testing that we cannot divulge – for while we strive to be transparent with our customers, we do not disclose all technical details of all of our security measures. This is a standard practice to maintain the efficacy of our protections.

Conclusion

The integration of DAI AppSec with Continuous Testing is crucial for several reasons: Improved Iteration: It allows for performance and functional testing iterations without compromising security. Prevention of Accidental Release: It mitigates the risk of accidental release of unprotected apps. Cost Savings: It reduces costs by avoiding manual testing. Enhanced Testing: It enables better and more thorough testing of protected applications by allowing continuation of automated performance, functional, and accessibility protections on hardened applications.

We remain committed to providing robust security and high-quality solutions. For further more information visit https://digital.ai/solutions/deliver-secure-quality-mobile-apps/ or contact your Account Executive.